Thursday, December 19, 2013

Use Java Code Signing Certificate in Oracle E-Business Suite



Create and Import Java Code Signing Certificate to use in Oracle E-Business Suite

Ref: Oracle Note
Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1)

Oracle note is important document and covered most of the errors/resolutions. But there are short comings in the document .I did not use ADJAVA command and substituted with KEYTOOL command.

1)     Generate KeyPair

keytool -genkey -keyalg RSA -keysize 4096 -alias EbsJarCert -keypass EbsJarkp1 -storepass EbsJarsp1 -keystore /ebs/home/test/keystore.dat –v

What is your first and last name?
  [Unknown]:  EbsJarServ.com
What is the name of your organizational unit?
  [Unknown]:  Ebs
What is the name of your organization?
  [Unknown]:  Ebs Company
What is the name of your City or Locality?
  [Unknown]:  Washington
What is the name of your State or Province?
  [Unknown]:  District of Columbia
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US correct?
  [no]:  yes

Generating 4,096 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
        for: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
[Storing /ebs/app/keystore.dat]

2)      Verify KeyPair

$ keytool -list –v -storepass EbsJarsp1 -keystore /ebs/home/test/keystore.dat -alias EbsJarCert
 ( You can also execute the same command with adjkey
adjkey -list -v -storepass EbsJarsp1 -keystore /ebs/home/test/keystore.dat -alias EbsJarCert)

Alias name: EbsJarCert
Creation date: Dec 17, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
Issuer: CN=EbsJarServ.com, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
Serial number: 52b06a4a
Valid from: Tue Dec 17 09:05:46 EST 2013 until: Mon Mar 17 10:05:46 EDT 2014
Certificate fingerprints:
         MD5:  10:37:62:7D:60:EA:89:AF:15:77:19:62:59:49:28:DD
         SHA1: 02:93:CC:96:BD:EF:CE:28:B9:38:51:8E:4B:F8:94:05:ED:C8:68:0A
         Signature algorithm name: SHA1withRSA
         Version: 3

3)      Request Certificate (CSR)

keytool -certreq -alias EbsJarCert \
                -storepass EbsJarsp1 -keypass EbsJarkp1 \
                -file /ebs/home/test/EbsJarCert.csr \
                -keystore /ebs/home/test/keystore.dat

4)      Submit your CSR to Signing  Authority for certificate (Verisign)

Note: Be sure to request a Java Code Signing Certificate. This certificate can be used to sign your jar content across one or mutliple Oracle E-Business Suite environmments. After you get the certificate, export in X509 format and ftp in ascii to web server.

5)      Verify the Certificate (CRT) after you receive from Verisign

keytool -printcert -v -file /ebs/home/test/EbsJarCert.crt

6)      Import Intermediate and Root Certificate to the cacerts Keystore File

Create myca.crt ( by exporting Intermediate and Root Certificate in X509 format)
Go to = $OA_JRE_TOP/jre/lib/security/
chmod +w cacerts
cat inter.crt root.crt >myca.crt
keytool -import -alias myca -file myca.crt -trustcacerts -v -keystore cacerts
chmod a-w cacerts
Note: The default Java for the cacerts keystore certificates file is usually changeit.

7)      Import the Java Code Signing Certificate into the Keystore

= $APPL_TOP/admin
Create EbsJarCert.crt ( by exporting .crt in X509 format)
cp EbsJarCert.crt $APPL_TOP/admin/adkeystore.crt 
cp /ebs/home/test/keystore.dat $APPL_TOP/admin/adkeystore.dat

Import the certificate
keytool -import \
                -file /ebs/app/test/ appl/admin/adkeystore.crt \
                -trustcacerts -storepass EbsJarsp1
                -alias EbsJarCert \
                -keystore /ebs/app/test / appl/admin/adkeystore.dat
               
8)      Verify and Update jripasswords in the database

Login as APPS
SQL>
set serveroutput on
declare
spass varchar2(30);
kpass varchar2(30);
begin
ad_jar.get_jripasswords(spass, kpass);
dbms_output.put_line('--------');
dbms_output.put_line('STOREPASS = '||spass);
dbms_output.put_line('KEYPASS = '||kpass);
dbms_output.put_line('--------');
end;
/

If STOREPASS and KEYPASS does not match to adkeystore.dat then update with correct passwords
SQL> exec ad_jar.DEL_JRIPASSWORDS;
SQL> exec ad_jar.PUT_JRIPASSWORDS('EbsJarsp1',' EbsJarkp1');

9)      Generate JAR files with ADADMIN

vi $APPL_TOP/admin/adsign.txt
EbsJarCert 1 CUST

adadmin
Choose Generate Applications Files menu
From this menu choose Generate product JAR files

Enter yes when prompted with: Do you wish to force regeneration of all jar files? [No] ? yes

10)   Verify the Digital Signature of a Signed Jar File
jarsigner -verify -verbose -certs /ebs/app/test /comn/java/oracle/apps/fnd/jar/fndlist.jar

X.509, CN=EbsJarServ.com, OU=Digital ID Class 3 - Java Object Signing, OU=Ebs, O=Ebs Company, L=Washington, ST=District of Columbia, C=US
      [certificate is valid from 12/17/13 7:00 PM to 12/16/15 6:59 PM]
jar verified.

11)   Test the Applications

Java Control Panel -> Security -> Security Level: Very High
Java Control Panel -> Advanced  -> Show Console (Check)
Java Control Panel -> Advanced  -> Enable logging (Check)
Java Control Panel -> Advanced  -> Enable Trace (Check)

Login to Applications and test

Verify output In Java Console for any issues/errors/warning.

Some of them are
Missing Permissions manifest attribute for:
https://11iurl/OA_JAVA/oracle/apps/fnd/jar/fndutil.jar
Missing Codebase manifest attribute for:
https:// https://11iurl /OA_JAVA/oracle/apps/fnd/jar/fndutil.jar

Fix
All the JAR files are not signed properly , run the following commands
adjava -mx512m -nojit oracle.apps.ad.jri.adjcopy -masterArchive $JAVA_TOP -sync -reportfile javatopfiles.lst
adjava -mx512m -nojit oracle.apps.ad.jri.adjcopy -masterArchive $JAVA_TOP -sync -mode APPLY
Run ADADMIN again and force generate JAR files

For error in java console
network: Connecting http://ocsp.verisign.com/ with proxy=DIRECT
network: Connecting http://ocsp.verisign.com:80/ with proxy=DIRECT
security: Failing over to CRLs: java.net.SocketTimeoutException: connect timed out
network: Cache entry not found [url: http://crl.verisign.com/pca3-g5.crl, version: null]
network: Connecting http://crl.verisign.com/pca3-g5.crl with proxy=DIRECT
network: Connecting http://crl.verisign.com:80/ with proxy=DIRECT

Fix
Control Panel->Java->Advanced' Tab->'Perform certificate revocation checks on' section - Select “DO NOT CHECK”


1 comment:

Anonymous said...

Having read this I believed it was very informative.
I appreciate you finding the time and effort to put this information together.
I once again find myself personally spending a significant amount of
time both reading and leaving comments. But so what, it was still
worth it!